Office cold, kettle on, pad open. The shape of 2017 is, on the morning of the first Monday, clearer to me than the start of any of the previous several years has been. The structural pieces — GDPR, the EmilyAI work, the post-Mirai DDoS landscape, the post-DNC information-operation environment — are all visible enough that the planning I am doing in January is more architectural than predictive.
The portfolio carries forward. Browne Jacobson, Towry, Northcott Global Solutions, the manufacturer (now in its third year of engagement), and the new financial-services client added in September make five sustained vCISO engagements. The SOC has eight customers, indexes around six hundred and ten gigabytes per day in Splunk, runs a thousand and forty OSSEC endpoints, and ingests Bro from four customer perimeters in addition to our own. The team is fourteen, including the postgraduate intern who joined full-time on the 3rd, and the second ML engineer who started in October. We are looking at a Bath-side office to take some of the engineer-side work out of the central office; that decision will land in March or April.
GDPR moves into its operational phase this year. The two-year implementation window started May 2016 and the deadline is May 25 2018. Sixteen months remaining. Browne Jacobson and Towry are on track and the work is converting from policy and architecture into specific controls and attestable evidence. Northcott is in the middle of the harder organisational change and the schedule is tight. The manufacturer has the most distance to cover and the senior leadership engagement that I want to see has only just landed, in part because the November regulatory consultation outputs (Article 29 Working Party guidelines on Data Protection Officers, December 13 2016) made the picture concrete in a way that the abstract regulation had not. The new client will have GDPR readiness as their primary engagement focus through 2017.
The Emily work moves from shadow to assist this year. The shadow phase has run since June and the model's agreement rate with analyst decisions has been stable at around 91% on the four-way classification problem and around 89% on the incident-grade-versus-not binary. The next step is to surface the model's high-confidence classifications to analysts as advisory information, with the analyst making the final call. The user-experience question is interesting — how to present model output without pre-biasing the analyst — and the principal engineer for the work has been talking to the analyst team through December about the interface. The first version of the analyst-facing interface lands in early February. The shadow-deployment data continues to be collected throughout, so we can compare the assist phase outcomes against the counterfactual of analyst-only triage.
The threat-landscape planning. The Mirai-class IoT-DDoS pattern is going to continue and probably escalate; the first quarter will likely see another large attack against an infrastructure provider as the various Mirai derivatives compete for botnet share. The SWIFT-campaign pattern in financial services continues to draw new victims; the SWIFT Customer Security Programme attestation deadline at the end of this year is going to drive substantial customer engagement work. The Shadow Brokers situation is unresolved — they have continued posting through the autumn with various threats and demands and one further partial dump in October, but the principal cache has not been released, and the question of whether and when it will be is a substantial overhang on the Microsoft and other affected-vendor estates.
The information-operation pattern from 2016 is now part of the standard threat model. The post-DNC environment is one in which any organisation holding politically-sensitive material can plausibly face state-actor disclosure-as-weaponised-information operations, on a timeline chosen by the actor, with content curated to specific political effect. The defensive controls for that posture overlap substantially with the controls for ordinary state-grade threat actors, but the timeline and the visibility implications differ — the actor's exit condition is the public release, not the silent exfiltration. Two of the five vCISO clients have explicit elements of this posture in their threat model now, where they did not last January.
The longer-form work I want to commit to this year. The DDoS book successor that I have been outlining for several months is on the schedule. The export-control-cryptographic-debt essay (FREAK, Logjam, DROWN) is on the schedule. A short paper on the early Emily results, written as a research piece rather than as a product piece, is on the schedule for autumn after we have a year of assist-phase data. Conferences: Infosec Europe in June if I can secure a slot, BSides at least once, and a paper-presentation slot at one academic-leaning venue if the Emily writing matures fast enough.
The kettle has boiled. Inbox now.